Just Host Web Hosting Help

Google Flagged My Site as Malware

What is the warning?

Google puts this warning flag in its search results for pages
where its automated web crawler was attacked by viruses or spyware when
it visited the page. The purpose of the warning is to help protect less
savy web surfers who are using Google search results by steering them
away from malicious pages.

The warning is not a punishment or penalty and nor does it mean
that Google, Yahoo, FireFox, or StopBadware think you designed a
malicious site. They all know that the overwhelming majority of
webmasters do not create malicious pages on purpose. But, they also
don't want to send their customers to dangerous pages, all that is
needed is some cleanup before they start referring visitors again.

Why is my site flagged?

Here are reasons why your website can be flagged with the "This
site may harm your computer" warning in Google search results:

Your site was hacked. This is the most common reason for the
badware flag. If someone can trick your server into allowing them to
modify files in your site, they can insert malicious code into your web
pages or database tables, or they can alter your .htaccess or your HTML
or JavaScript code so your site automatically redirects visitors to a
malicious site.

A site other than yours got hacked, but it is affecting the
content on your pages. Let's say your pages have normally harmless
iframes or JavaScript that are pulled into a visitor's browser from the
other website by using the property (in the HTML code)
"src=http://othersite", or they use PHP code that resides on another
website but is included into your pages before being served, with a PHP
include(). If the other website gets hacked, your pages can turn
dangerous, too, if the content that the other site was supposed to be
sending out (advertisements, hit counters, top 10 lists ...) gets
replaced by viruses, spyware, or other bad things. Whenever you use
content from another website on your pages, you are dependent on that
other site staying clean.

Your pages trigger the loading of Flash .swf files that are
scripted to do malicious things or that are out of date and
exploitable. Flash advertising is a common problem area.

(Your site contains an outlink to another site that has
badware on it.) This was once a major reason for being flagged. That
might not be true anymore, but it is still worthwhile to check your
outlinks to make sure you are not linking to malicious sites, or to a
site that got hacked and has turned malicious.

StopBadware and Google describe the criteria they use to determine
whether a website is contributing to the badware problem.

The Firefox 3.x and Chrome browsers use data from the Google
Safe Browsing Service to warn users about suspected malicious
sites. If your site is flagged in Google search results, Firefox 3
users are getting a warning that says, "Reported Attack Site!" and they
are blocked from going there.

How to search your pages for malicious code

Discover which pages are flagged for malware and get
clues about why they are flagged

In any Google search box, enter:

site:yoursite.com

Note which pages have the warning flag. Usually, it is
http://www.stopbadware.org/home/guidelines#website all of them, but
sometimes it's only one section such as the forum or blog which tells
you where to focus most of your attention.

Click the search results link for one of your flagged pages.
Instead of going to your site, it will take you to a Google
"interstitial" warning page.

On that page, follow the link to the "Safe Browsing diagnostic
page" and study it. Another way to get to the Safe Browsing diagnostic
page directly (you can check any website this way) is by entering this
URL into your browser address bar. Replace

EXAMPLE.COM

with the address of the website you want to check:

http://www.google.com/safebrowsing/diagnostic?site=EXAMPLE.COM

Go to Webmaster Tools at Google Webmaster Central. If you
don't have an account there, create one. It's free. They show the
badware status of your site, help information, and a partial list of
the pages they consider suspicious.

Look up your site in the StopBadware Clearinghouse database.

If Symantec's Norton Safe Web has found Malware,
their report shows the locations (filenames) of the threats more
completely than the Google and StopBadware reports.

Scan pages of your website at UnmaskParasites to find hidden
iframes.

Scan pages of your website at Dasient.

Do a web search on each of the domain names and IP addresses
mentioned in your Google Safe Browsing Diagnostic report as being the
sources or intermediaries of the malware on your pages. Some of these
website names and IP addresses are associated with specific types of
attacks. For example, if the domains mentioned are gumblar or martuz,
it is certain that a virus on the PC of one of your site administrators
stole the FTP login information and used it to hack the site, so you
must do virus scans. On the other hand, if the domain is beladen, you
are facing a server-wide compromise, not just an ordinary attack on
your one website, so you must notify your webhost. These domain names
can give you good clues about what is wrong and save you a lot of time
if your search is successful.

Now that you have preliminary information about which pages are
affected and what seems to be wrong with them, you can start searching
for bad code.

Search your source code for badware

Whenever possible, view and search the source code of your pages
on your server. This allows you to see ALL the code, even if it is only
put on the pages sometimes.

Explanation: Some exploits put malicious code on pages
only under certain conditions such as if the visitor is using Internet
Explorer or if they came to your site from a Yahoo or Google search
results page. Your particular viewing might not meet those conditions
(such as if you're using Firefox or you went directly to the site
without going through a search engine). If you examine pages with your
browser's View Source command, you can think the page is clean even
though at other times, or when other people view it, it's not.

Examining the source code on your server lets you see all the code
that's there.